** Changed in: linux (Ubuntu Bionic)
Status: Fix Committed => Fix Released
** Changed in: linux (Ubuntu Xenial)
Status: Fix Committed => Fix Released
** Changed in: linux (Ubuntu)
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1783110
Title:
>= linux-4.4.0-130: 14 bytes memory leaked when sending AF_PACKET /
SOCK_RAW frames
Status in linux package in Ubuntu:
Fix Released
Status in linux source package in Xenial:
Fix Released
Status in linux source package in Bionic:
Fix Released
Bug description:
Vulnerable: linux-image-4.4.0-130-generic, linux-image-4.4.0-131-generic
Not vulnerable: linux-image-4.4.0-128-generic
Bug (likely) introduced by commit:
https://github.com/torvalds/linux/commit/b84bbaf7a6c8cca24f8acf25a2c8e46913a947ba
Likely fixed upstream with (NOT VERIFIED):
https://github.com/torvalds/linux/commit/9aad13b087ab0a588cd68259de618f100053360e
Discussion about these commits on maillist, including someone referring to
this bug:
https://www.mail-archive.com/search?l=net...@vger.kernel.org&q=subject:%22Re%5C%3A+%5C%5BPATCH+net%5C%5D+packet%5C%3A+in+packet_snd+start+writing+at+link+layer+allocation%22&o=newest&f=1
When sending packets with AF_PACKET / SOCK_RAW, the actual transmitted
packet contains 14 additional bytes at the end of the payload.
Observations do show non-zero bytes getting leaked.
See attached source for a simple proof of concept that sends a raw
packet on the loopback interface. The payload should be 40 bytes of
0xAA, but tcpdump clearly shows 14 additional bytes are added.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1783110/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
